Chinese Cloud Hopper Attackers Use Zerologon in New Campaign

Chinese state-sponsored attackers are operating a major global campaign against multiple verticals exploiting the Zerologon vulnerability, according to new research from Symantec.

The security giant claimed that the Cicada group (aka APT10, Cloud Hopper) is targeting Japanese companies and their subsidiaries in 17 countries with information-stealing attacks. Affected sectors include automotive, pharmaceutical, engineering and managed service providers (MSPs).

APT10 is well-known to researchers, having been unmasked as the entity behind the infamous Cloud Hopper campaign against global MSPs back in 2017 — at the time branded “one of the largest ever sustained global cyber-espionage campaigns.”

The current campaign is said to have been ongoing since October 2019, with attackers maintaining persistence on some of their victims’ networks for a year, although for others the attacks lasted just days.

Symantec was first alerted to the campaign when it noticed suspicious DLL side-loading activity on one of its customer’s networks. The technique was in fact used by APT10 during multiple stages of attacks to load malware into legitimate processes, the report claimed.

Other classic techniques used by the group include “living off the land” via use of legitimate Windows functions like PowerShell, dual use and publicly available tools like WMIExec, and custom malware like the newly discovered Backdoor.Hartip.

The group was also observed exploiting the Zerologon elevation-of-privilege bug patched back in August, to remotely hijack a domain to compromise all Active Directory identity services.

“Intelligence gathering and stealing information has generally been the motivation behind Cicada’s attacks in the past, and that would appear to be the case in this attack campaign too. We observed the attackers archiving some folders of interest in these attacks, including in one organization folders relating to human resources, audit and expense data, and meeting memos,” the report noted.

“The group’s use of techniques such as DLL side-loading and a wide array of living-off-the-land tools underline the need for organizations to have a comprehensive security solution in place to detect this kind of suspicious activity before actors like Cicada have the chance to deploy malware or steal information from their networks.”

What’s Hot on Infosecurity Magazine?